Veracode’s RESTful APIs use Hash-based Message Authentication Code (HMAC) for authentication, which provides a significant security advantage over basic authentication methods that pass the username and password with every request. Passing credentials in the clear is not a recommended practice from a security perspective; encryption is definitely preferred for obvious reasons, but HMAC goes a step further and passes just a unique signature.
Developers familiar with Amazon Web Services (AWS) may already have experience with this method of authentication, as it is the primary method used by AWS. In fact, Veracode began providing users the ability to use HMAC authentication when utilizing our suite of integration products and Java/C# SDKs in early 2016.
What Is HMAC Authentication?
With Hash-based Message Authentication Code (HMAC), the server and the client share a public ID and a private Secret Key (for more information on obtaining an ID and Secret Key with Veracode, please see our help center). Unlike a password with basic authentication, the Secret Key is known by the server and client, but is never transmitted. Rather than sending the Secret Key in the request, it is instead used in combination with a hash function to generate a unique HMAC signature, which is then combined with the public ID, a nonce, and additional information. The server ultimately receives the request and generates its own HMAC and compares the two – if equal, the request is executed (this process is referred to as the “secret handshake”). Thus, the Secret Key is used in confirming authenticity and integrity of a request, but never transmitted in that request. For more information about HMAC, please visit this link.
How Does HMAC Authentication Affect Me?
HMAC provides significant security improvements when making API calls to Veracode. While more secure than basic authentication, additional steps are required to perform API calls using HMAC. Veracode does minimize and streamline the HMAC calculation to make this process simple and easy for users. In fact, there are several examples of HMAC authentication code or sample libraries available for your reference in the Veracode Help Center and on our Github page:
If you are looking to use curl or a similar command line tool to execute Veracode API calls, we recommend using HTTPie with the Veracode Python Authentication Library.
If you have any questions about implementing HMAC and Veracode ID and Key, please post in the Veracode Community Integrations Group - if you haven’t yet, you are welcome to join the community!